PASSWORD SHARING ALERT TO ALL PAYSITE OWNERS!!!

QuickDraw · 2006-06-08, 08:26 PM

Don't forget about IRC, newsgroups, etc. Rather then worry about password sharing sites though, you should be worrying about securing your sites. I highly suggest generating your own passwords ( don't let the user pick them ) and install something like StrongBox ( http://www.bettercgi.com/strongbox/ ). Surfers are getting savvy.. it's up to you to keep crackers out.

[BV] · 2006-06-09, 02:26 AM

Quote:

Originally Posted by QuickDraw

, you should be worrying about securing your sites..

Yes, all 21 of them.

Basic paysite 101. Get ProxyPass or StrongBox (they seem to be the top 2)
I use ProxyPass.

You have to think of password site traffic as free traffic. Don't bitch about it, make money off it.

Some of those sites have been around for over 6 or 7 years, maybe longer. Do a search on ultrapasswords, he's probably the most well known.

Jim · 2006-06-09, 10:21 AM

Quote:

Originally Posted by [BV]

Yes, all 21 of them.

Basic paysite 101. Get ProxyPass or StrongBox (they seem to be the top 2)
I use ProxyPass.

You have to think of password site traffic as free traffic. Don't bitch about it, make money off it.

Some of those sites have been around for over 6 or 7 years, maybe longer. Do a search on ultrapasswords, he's probably the most well known.

I often wondered why a simple script that looked at logons and passwords and ip addresses wouldn't be a lot cheaper than any other type of software. If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

ClickBuster · 2006-06-09, 11:56 AM

Quote:

Originally Posted by Jim

If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

Actually this is a terrible way to do this, cause AOL users change their IPs every 15 minutes or something like that. You'll get tons of banned users that are actually regular members.

Jim · 2006-06-09, 12:46 PM

Quote:

Originally Posted by ClickBuster

Actually this is a terrible way to do this, cause AOL users change their IPs every 15 minutes or something like that. You'll get tons of banned users that are actually regular members.

I don't know...I just looked at this boards ip addresses. We have a webmaster with over 200 posts that only comes here through aol. And through all the posts and thousands of times they have been here, they have only used 4 different aol proxy ip addresses. So, instead of 3, bump it to 5 or even 10 and it will still work and be free.

Looking at this, "When a member initially connects to the AOL host complex, the client software receives network configuration information, including the IP addresses for the local system and for the DNS server. The member's IP address is a Dyamically Assigned Hardware Address (DAHA), which is an address that is assigned to a session. Once the session has ended, the address may be reassigned." it looks like the aol user is good until they log off. And even then, "the address may be reassigned".

[BV] · 2006-06-10, 02:23 AM

Quote:

Originally Posted by Jim

I often wondered why a simple script that looked at logons and passwords and ip addresses wouldn't be a lot cheaper than any other type of software. If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

That's exactly part of what proxypass does along with protecting from bruit force attacks.

It actually changes the password.

You can't stop there though.
The real owner of that password needs to be notified of the new password. Finally we have that process automated as well.
Otherwise you need to have someone on it 24/7 or you end up with unhappy customers as 99% of shared passwords are not shared by the owner.

frankthetank · 2006-06-10, 04:33 AM

Quote:

Originally Posted by [BV]

... as 99% of shared passwords are not shared by the owner.

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

spazlabz · 2006-06-10, 06:19 AM

Quote:

Originally Posted by frankthetank

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

there are programs out there for people who really enjoy hacking paysites that make it very easy
hackers comes along and wants to se your content or show off that he can 'hack' a site all they need is;
the right software (extremely easy to get)
a descent sized word list
your members URL (http://www.yoursite.com/members) authorization failed provies this quickly
5 proxies (again easy to find)

you get get literally dozens of working U/Ps in under a minute esp if the site has been around for awhile. New sites are harder to hack like this.

spaz

[BV] · 2006-06-10, 07:25 PM

Quote:

Originally Posted by frankthetank

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

Yes, basically I would classify it as a guess, that's why you do not want your members picking their own passwords.

You want to generate them a random pass. Makes it much harder for the hackers and their scripts to guess. They basically try thousands and thousands of user pass combos on your site until they find one that works. Another reason why you want to use something like proxypass. After one IP tries to log in unsuccessfully after so many times it bans that IP for a period of time.

Now as far as the old user pass, if someone tries to log in using the shared combination again, you send them to a fake members area.

2006-06-08, 08:26 PM	#1
QuickDraw Heh Heh Heh! Lisa! Vampires are make believe, just like elves and gremlins and eskimos! Join Date: Jan 2006 Posts: 72	Don't forget about IRC, newsgroups, etc. Rather then worry about password sharing sites though, you should be worrying about securing your sites. I highly suggest generating your own passwords ( don't let the user pick them ) and install something like StrongBox ( http://www.bettercgi.com/strongbox/ ). Surfers are getting savvy.. it's up to you to keep crackers out.